Anomaly network intrusion detection system based on NetFlow using machine/deep learning

Touati B. Adli; Salem-Bilal B.  Amokrane; Boban Z. Pavlović; Mohammad Zouaoui M.  Laidouni; Taki-eddine Ahmed A. Benyahia

doi:10.5937/vojtehg71-46058

Touati B. Adli University of Defence in Belgrade, Military Academy, Department of Telecommunications and Informatics, Belgrade, Republic of Serbia https://orcid.org/0009-0000-2673-6954
Salem-Bilal B. Amokrane University of Defence in Belgrade, Military Academy, Department of Telecommunications and Informatics, Belgrade, Republic of Serbia https://orcid.org/0009-0009-7588-5708
Boban Z. Pavlović University of Defence in Belgrade, Military Academy, Department of Telecommunications and Informatics, Belgrade, Republic of Serbia https://orcid.org/0000-0002-5476-7894
Mohammad Zouaoui M. Laidouni University of Defence in Belgrade, Military Academy, Department of Telecommunications and Informatics, Belgrade, Republic of Serbia https://orcid.org/0009-0008-6042-0513
Taki-eddine Ahmed A. Benyahia University of Defence in Belgrade, Military Academy, Department of Telecommunications and Informatics, Belgrade, Republic of Serbia https://orcid.org/0009-0006-6025-6915

DOI: https://doi.org/10.5937/vojtehg71-46058

Keywords: Network intrusion detection system (NIDS), Netflow features, Machine/Deep learning, anomaly-based NIDS

Abstract

Introduction/purpose: Anomaly detection-based Network Intrusion Detection Systems (NIDSs) have emerged as a valuable tool, particularly in military fields, for protecting networks against cyberattacks, specifically focusing on Netflow data, to identify normal and abnormal patterns. This study investigates the effectiveness of anomaly-based machine learning (ML) and deep learning (DL) models in NIDSs using the publicly available NF-UQ-NIDS dataset, which utilizes Netflow data, with the aim of enhancing network protection.

Methods: The authors Sarhan, M., Layeghy, S., Moustafa, N. and Portmann, M. in the conference paper Big Data Technologies and Applications, in 2021, involve a preprocessing step where 8 features are selected for the training phase out of the 12 available features. Notably, the IP source and destination addresses, as well as their associated ports, are specifically excluded. The novelty of this paper lies in the preprocessing of the excluded features and their inclusion in the training phase, employing various classification ML and DL algorithms such as ExtraTrees, ANN, simple CNN, and VGG16 for binary classification.

Results: The performance of the classification models is evaluated using metrics such as accuracy, recall, etc., which provide a comprehensive analysis of the obtained results. The results show that the ExtraTrees ML model outperforms all other models when using our preprocessing features, achieving a classification accuracy of 99.09%, compared to 97.25% in the reference dataset.

Conclusion: The study demonstrates the effectiveness of anomaly-based ML and DL models in NIDSs using Netflow data.

References

Anitha, A.A. & Arockiam, L. 2019. ANNIDS: Artificial Neural Network based Intrusion Detection System for Internet of Things. International Journal of Innovative Technology and Exploring Engineering (IJITEE), 8(11), pp. 2583–2588. Available at: https://doi.org/10.35940/ijitee.K1875.0981119.

Bahlali, A.R. 2019. Anomaly-Based Network Intrusion Detection System: A Machine Learning Approach. Ma thesis. Biskra, Algeria: University of Mohamed Khider, Faculty of Exact, Natural and Life Sciences, Computer Science Departement. Available at: https://doi.org/10.13140/RG.2.2.29553.84325.

Cahyo, A.N., Hidayat, R. & Adhipta, D. 2016. Performance comparison of intrusion detection system based anomaly detection using artificial neural network and support vector machine. AIP Conference Proceedings, 1755(1,art.number:070011), pp. 1–7. Available at: https://doi.org/10.3969/j.issn.1002-6819.2015.01.028.

Cao, C., Panichella, A., Verwer, S., Blaise, A. & Rebecchi, F. 2022. ENCODE: Encoding NetFlows for State-Machine Learning. arXiv:2207.03890. Available at: https://doi.org/10.48550/arXiv.2207.03890.

Cisco. 2011. NetFlow Version 9 Flow-Record Format [online]. Available at: https://www.cisco.com/en/US/technologies/tk648/tk362/technologies_white_paper09186a00800a3db9.html [Accessed: 10 August 2023].

Figueiredo, J., Serrão, C. & de Almeida, A.M. 2023. Deep Learning Model Transposition for Network Intrusion Detection Systems. Electronics, 12(2,art.number:293). Available at: https://doi.org/10.3390/electronics12020293.

Fosić, I., Žagar, D., Grgić, K. & Križanović, V. 2023. Anomaly detection in NetFlow network traffic using supervised machine learning algorithms. Journal of Industrial Information Integration, 33, art.number:100466. Available at: https://doi.org/10.1016/j.jii.2023.100466.

Hofstede, R., Čeleda, P., Trammell, B., Drago, I., Sadre, R., Sperotto, A. & Pras, A. 2014. Flow Monitoring Explained: From Packet Capture to Data Analysis With NetFlow and IPFIX. IEEE Communications Surveys and Tutorials, 16(4), pp. 2037–2064. Available at: https://doi.org/10.1109/COMST.2014.2321898.

Labonne, M. 2020. Anomaly-based network intrusion detection using machine learning. Ph.D. thesis, Institut polytechnique de Paris. [online]. Available at: https://theses.hal.science/tel-02988296 [Accessed: 10 August 2023].

Liu, X., Tang, Z. & Yang, B. 2019. Predicting Network Attacks with CNN by Constructing Images from NetFlow Data. In: 2019 IEEE 5th Intl Conference on Big Data Security on Cloud (BigDataSecurity), IEEE Intl Conference on High Performance and Smart Computing, (HPSC) and IEEE Intl Conference on Intelligent Data and Security (IDS). Washington, DC, USA, pp.61–66, May 27-29. Available at: https://doi.org/10.1109/BigDataSecurity-HPSC-IDS.2019.00022.

Rizvi, S., Scanlon, M., McGibney, J. & Sheppard, J. 2023. Deep Learning Based Network Intrusion Detection System for Resource-Constrained Environments. In: Goel, S., Gladyshev, P., Nikolay, A., Markowsky, G. & Johnson, D. (Eds.) Digital Forensics and Cyber Crime. ICDF2C 2022. Lecture Notes of the Institute for Computer Sciences, Social Informatics and Telecommunications Engineering. Boston, MA, 508, pp.355–367, November 16-18. Cham: Springer. Available at: https://doi.org/10.1007/978-3-031-36574-4_21.

Sarhan, M., Layeghy, S., Moustafa, N. & Portmann, M. 2021. NetFlow Datasets for Machine Learning-Based Network Intrusion Detection Systems. In: Deze, Z., Huang, H., Hou, R., Rho, S. & Chilamkurti, N. (Eds.) Big Data Technologies and Applications. BDTA WiCON 2020 2020. Lecture Notes of the Institute for Computer Sciences, Social Informatics and Telecommunications Engineering. Virtual Event, 371, pp.117–135, December 11. Cham: Springer. Available at: https://doi.org/10.1007/978-3-030-72802-1_9.

Sarhan, M., Layeghy, S. & Portmann, M. 2022. Towards a Standard Feature Set for Network Intrusion Detection System Datasets. Mobile Networks and Applications, 27, pp. 357–370. Available at: https://doi.org/10.1007/s11036-021-01843-0.

Tufan, E., Tezcan, C. & Acartürk, C. 2021. Anomaly-Based Intrusion Detection by Machine Learning: A Case Study on Probing Attacks to an Institutional Network. IEEE Access, 9, pp. 50078–50092. Available at: https://doi.org/10.1109/ACCESS.2021.3068961.

Van, N.T., Thinh, T.N. & Sach, L.T. 2017. An anomaly-based network intrusion detection system using Deep learning. In: 2017 International Conference on System Science and Engineering (ICSSE). Ho Chi Minh City, Vietnam, pp.210-214, September 11. Available at: https://doi.org/10.1109/ICSSE.2017.8030867.

Anomaly network intrusion detection system based on NetFlow using machine/deep learning

Abstract

References

Proposed Creative Commons Copyright Notices

Proposed Policy for Military Technical Courier (Journals That Offer Open Access)